Ensure container image reproducibilty across different container runtimes and versions

[apyrgio]

For independent container updates, we plan to build our container image in a GitHub CI action and attach provenance info to it (#1035). In order to reproduce these builds, we already have a script in place that uses diffoci and its "semantic" reproducibility mode (see #1047).

So far, we were able to reproduce images that where built by the exact same container runtime. It seems that different runtimes though, and even different versions of the same runtime, can add annotations to the image that break reproducibility. We need to figure out a way to compare images in a way that small details like these (if they are small of course), don't break our scripts.